Bv9ARM.ch09.html revision c48fdfda7a8ae8973aadfeb88cbeaab013024a6c
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
3e02c9e33656dcd9c364633d42dd785d3e6fdd66Automatic Updater - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - License, v. 2.0. If a copy of the MPL was not distributed with this
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - file, You can obtain one at http://mozilla.org/MPL/2.0/.
3e02c9e33656dcd9c364633d42dd785d3e6fdd66Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<table width="100%" summary="Navigation header">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<div class="titlepage"><div><div><h1 class="title">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.2rc1</a></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.2rc1</h2></div></div></div>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<div class="titlepage"><div><div><h3 class="title">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater This document summarizes changes since the last production
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater release on the BIND 9.11 branch.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Please see the <code class="filename">CHANGES</code> file for a further
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater list of bug fixes and other changes.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<div class="titlepage"><div><div><h3 class="title">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a name="relnotes_download"></a>Download</h3></div></div></div>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater The latest versions of BIND 9 software can always be found at
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater There you will find additional information about each release,
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater source code, and pre-compiled versions for Microsoft Windows
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater operating systems.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<div class="titlepage"><div><div><h3 class="title">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater ICANN is in the process of introducing a new Key Signing Key (KSK) for
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater the global root zone. BIND has multiple methods for managing DNSSEC
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater trust anchors, with somewhat different behaviors. If the root
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater key is configured using the <span class="command"><strong>managed-keys</strong></span>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater statement, or if the pre-configured root key is enabled by using
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater keys up to date automatically. Servers configured in this way
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater will roll seamlessly to the new key when it is published in
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater the root zone. However, keys configured using the
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater maintained. If your server is performing DNSSEC validation
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater advised to change your configuration before the root zone begins
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater signing with the new KSK. This is currently scheduled for
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater October 11, 2017.
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater This release includes an updated version of the
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater <code class="filename">bind.keys</code> file containing the new root
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater key. This file can also be downloaded from
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater <a class="link" href="https://www.isc.org/bind-keys" target="_top">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<div class="titlepage"><div><div><h3 class="title">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a name="relnotes_license"></a>License Change</h3></div></div></div>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater With the release of BIND 9.11.0, ISC changed to the open
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater source license for BIND from the ISC license to the Mozilla
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater Public License (MPL 2.0).
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater The MPL-2.0 license requires that if you make changes to
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater licensed software (e.g. BIND) and distribute them outside
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater your organization, that you publish those changes under that
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater same license. It does not require that you publish or disclose
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater anything other than the changes you made to our software.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater This new requirement will not affect anyone who is using BIND
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater without redistributing it, nor anyone redistributing it without
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater changes, therefore this change will be without consequence
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater for most individuals and organizations who are using BIND.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Those unsure whether or not the license change affects their
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater use of BIND, or who wish to discuss how to comply with the
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<div class="titlepage"><div><div><h3 class="title">
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater An error in TSIG handling could permit unauthorized zone
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater transfers or zone updates. These flaws are disclosed in
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater CVE-2017-3142 and CVE-2017-3143. [RT #45383]
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater The BIND installer on Windows used an unquoted service path,
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater which can enable privilege escalation. This flaw is disclosed
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater in CVE-2017-3141. [RT #45229]
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater With certain RPZ configurations, a response with TTL 0
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater could cause <span class="command"><strong>named</strong></span> to go into an infinite
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater query loop. This flaw is disclosed in CVE-2017-3140.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<div class="titlepage"><div><div><h3 class="title">
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater for EDNS options in addition to numeric values. For example,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater an EDNS Client-Subnet option could be sent using
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater John Worley of Secure64 for the contribution. [RT #44461]
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater names to assist debugging on operating systems that support that.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Threads will have names such as "isc-timer", "isc-sockmgr",
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater "isc-worker0001", and so on. This will affect the reporting of
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater subsidiary thread names in <span class="command"><strong>ps</strong></span> and
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater DiG now warns about .local queries which are reserved for
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Multicast DNS. [RT #44783]
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<div class="titlepage"><div><div><h3 class="title">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater fail on some platforms when LMDB was in use. [RT #45203]
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Due to some incorrectly deleted code, when BIND was
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater built with LMDB, zones that were deleted via
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>